If you are in the middle of transitioning your Information Security Management System (ISMS) from the 2013 version to the 2022 update, you have probably noticed that the physical security section has been given a significant upgrade. While the older version focused heavily on perimeters and entry points, the new standard introduces a more proactive approach. The most notable addition in this category is Annex A 7.4: Physical Security Monitoring.
Table of contents
Is Annex A 7.4 a Brand New Control?
One of the biggest surprises for many security managers is that Annex A 7.4 is actually a new control. In the ISO 27001:2013 version, there was no single, dedicated control for the continuous monitoring of physical premises. While elements of monitoring were touched upon in Control 11.1.2 (Physical Entry) and 11.1.6 (Delivery and Loading Areas), they were often treated as secondary functions of access control.
In the 2022 revision, the standard creators decided that simply having a lock or a badge reader wasn’t enough. According to experts at Hightable.io, the introduction of Annex A 7.4 reflects the reality that physical breaches often happen when authorized access is bypassed or when alarms are ignored. By making physical security monitoring a standalone requirement, the standard ensures that organizations are not just protecting their doors, but actively watching them.
The Shift from Passive to Proactive Security
In the 2013 era, physical security was often “passive.” You set up your barriers, and you assumed they worked until someone told you otherwise. Annex A 7.4 shifts this mindset to “proactive.” The requirement states that premises should be continuously monitored for unauthorized physical access.
This means your surveillance systems, whether they are CCTV, motion sensors, or even security guards, must be integrated into a larger monitoring strategy. It is no longer enough to have a camera recording to a hard drive that no one checks. You need to demonstrate that your systems are designed to detect and alert you to abnormal activity in real-time. Hightable.io highlights that this control is about “catching people you don’t want to gain entry, when and if they gain entry.”
Key Requirements of Annex A 7.4
Because this is a new control, it is essential to understand what the 2022 version specifically expects you to implement. The guidance for Annex A 7.4 includes several critical components:
- Surveillance Tools: You should use a combination of tools like video monitoring (CCTV), intruder alarms, and sensors (motion, sound, or break-glass) to cover your restricted areas.
- Continuous Coverage: Monitoring should be active 24/7, especially for sensitive areas like data centers, server rooms, or archive facilities.
- Tamper Protection: Your monitoring systems themselves must be secure. If a thief can simply unplug your camera or cut the power to your alarm without anyone noticing, you are not meeting the standard.
- Regulatory Compliance: The standard explicitly reminds you to follow local laws regarding privacy and data protection (like GDPR) when implementing video surveillance.
The Role of Control Attributes
One of the major innovations of the ISO 27001:2022 update is the introduction of “Attributes.” These are metadata tags that help you categorize each control. For Annex A 7.4, the primary attribute is Detective.
This is a vital distinction. While perimeters (7.1) and entry points (7.2) are Preventive, monitoring is Detective. As noted by Hightable.io, these attributes allow you to map your physical security to the NIST Cybersecurity Framework or other industry standards, making it easier to show auditors that you have a “defence-in-depth” strategy that covers every stage of a potential breach.
Practical Transition: What the Auditor Will Ask
When you sit down for your transition audit, the auditor will be looking for more than just a list of hardware. They will want to see your monitoring process. Expect questions such as:
- “How do you know if a camera stops recording?”
- “Who is responsible for reviewing the security logs and footage?”
- “What is your response plan if an intruder alarm is triggered at 2:00 AM on a Sunday?”
- “How have you ensured that your CCTV placement doesn’t violate employee privacy rights?”
Why This Change Matters for Your ISMS
The addition of Annex A 7.4 is a clear sign that ISO 27001 is evolving to meet the challenges of the 2020s. We live in a world of “smart” buildings and integrated technologies. By treating physical monitoring as a core Physical Control, the standard ensures that your hardware assets and physical data are protected by the same level of vigilance that you apply to your digital networks.
As suggested by Hightable.io, the best way to handle this new requirement is to integrate your physical security alerts with your existing Incident Response Plan. When a physical event is detected, it should be treated with the same urgency as a digital threat. This unified approach doesn’t just pass an audit; it creates a much more resilient organization.